WinGate Forums

[gwood]

I am a new WinGate user, currently evaluating for corporate use. Encountering some inconsistencies in what the docs say vs behavior in how lists vs sites work. If I set up a "Banned Sites" rule which contains a "Site in list" as part of the "What" under rule properties, it does not seem to work the same as an implicit site. In other words, how the site is treated appears to be different between the two options:

Match against specific site
--or--
Match against sites in data list

Wingate Help says, "Sites with or without www on the front are considered the same. e.g. Both http://www.wingate.com and wingate.com will match a classification that specifies either http://www.wingate.com or wingate.com as the site name." This seems to be true for an implicit site set in a rule. But if you use the list mechanism instead of individual sites, it does not behave the same way. Perhaps this is normal, but it seems counter-intuitive. We have hundreds of sites which need to be added to a list. However, I am finding that I need to add both "site.com" and "www.site.com" to the list of strings to make it block properly.

Is this expected behavior? I also noticed that there is a button to "Link the content of another list to this list". Should I be using this instead of entering individual matching values as strings in the Edit list? I've also tried both "exact match" and pattern match.

I also find that if I do "*site.com" in pattern match that it will block a request for "<any other chars>site.com", but it does not seem to block a request for "www.site.com" or "site.com", which also does not seem correct.

Some clarification would be much appreciated.

[adrien]

HI

Data lists are lists of plain text with support for pattern matching.

So whilst the site mathing rule in the web access rule can tell that www.xyz.com is a child of xyz.com, a plain text matching which is used by the data lists cannot, it instead uses pattern matching, and to get any child of xyz.com, you'd need an entry *.xyz.com, and also one for just xyz.com if you wanted the parent domain to match as well as the child domains.

If you use *cat.com, it will match cat.com, persian.cat.com but also notacat.com

so the matching you're seeing is expected behaviour. We would need to add support for a data list to know that it contains domains, so that it can treat subdomains differently.

Regards

Adrien de Croy

[gwood]

Thanks, Adrien!

That follows what I am seeing. I have some other questions: keeping text files with lists of allowed or not allowed websites is easier than entering them all through the Edit List dialog box. Is there any special format for those files, or any special extension which must be one them? Also what is more efficient at run-time, text file lists or lists maintained through Wingate's internal list facility? We've got a lot of both allowed and banned sites for various corporate domain groups (100's of sites) and I'd prefer to do this with as little overhead as possible.

Lastly with respect to wildcards and domains; assuming that we are using lists do I need a wildcard asterisk on both sides of a domain name to ensure that no one can use that domain at all, or is that necessary? In other words, will *domain.com on a banned list ensure that no users can manually type http://www.domain.com/specific_page or do I need to do *domain.com*, or should I just do two entries, *.domain.com and domain.com?

[adrien]

for your first question, it should be about the same performance whether the entries are in a file or in the list, and it can be certainly a lot easier to do larger inserts into a file.

There's a little overhead checking the file timestamp occasionally to see if it was modified.

The filename can be anything, as you choose the file directly, so no requirement around extensions, so whatever suits your text editor the best. There is a 256MB size limit though.

It handles ASCII, UTF-8 and UTF-16 with Byte Order Markers.

No support for comments.

[adrien]

for the second question

if you are matching "site" against the list instead of "URL" against the list, you don't need to worry about things after the servername in the requested URL.

in your example, matching "site" against http://www.domain.com/specific_page would only be matching on "www.domain.com", so the matching items etc shouldn't specify things like slashes or anything after the domain name, as that will prevent a match.

If you want to match on particular URLS in a site, you'll need to check the URL against the list, rather than checking the site against the list.

Hope that makes sense.

[gwood]

Works perfectly! Thanks for the assistance.

The intention is to use it strictly as a proxy server with user access control via AD groups and so far, it appears to fit the bill very nicely.
One other thing that I noticed, is there a way to completely disable / remove the SMTP services? The delivery service gets started every time that the main service starts and does not have a delete option on it.

[adrien]

the SMTP delivery service is used to deliver internally-generated notifications. So things like the Send Email item inside flow-chart policy depend on it.

If there's nothing to deliver it won't have much to do, and doesn't really consume anything, or have any ports open (it connects out only, so doesn't listen for connections).

Regards

Adrien

[adrien]

Hi

there is no requirement about file extension, since you select the full path of the file, the extension is effectively just part of the filename as far as WinGate is concerned.

Format, we support various unicode options, either with a byte order marker and UTF-16, or you can use UTF-8 or plain ASCII (which is a subset of UTF-8 anyway).

Line per entry, each line terminated by either \r\n (CRLF) or \n (newline)

WinGate stores the entries in 2 separate containers, depending on whether there are wildcards in the value. Non-wildcarded values go into a map, which has the benefit of a fast lookup, so you can add a lot of these with minimal impact on performance.

Wild-carded entries need to go into a list, and evaluated one after the other, so many many wild-card entries can start to eat into performance.

Regards

Adrien